OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Errata for NameIDPolicy

Title: RE: [security-services] Errata for NameIDPolicy

So the new proposed text is below.

Is there any constraints on the NameID values in SubjectConfirmation (related to NameIDPolicy)?


"When a Format defined in Section 8.3.7 is used other than urn:oasis:names:TC:SAML:2.0:nameid-format:unspecified or urn:oasis:names:TC:SAML:2.0:nameid-format:encrypted, then if the identity provider returns any assertions:

- the Format value of the <NameID> within the <Subject> of any <Assertion> MUST be identical to the Format value supplied in the <NameIDPolicy>, and

- if SPNameQualifier is not omitted in <NameIDPolicy>, the SPNameQualifier value of the <NameID> within the <Subject> of any <Assertion> MUST be identical to the SPNameQualifier value supplied in the <NameIDPolicy>."

Tom.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Friday, June 03, 2005 1:01 PM
To: 'Thomas Wisniewski'; 'SAML'
Subject: RE: [security-services] Errata for NameIDPolicy


> "When a Format defined in Section 8.3.7 is used other than
> urn:oasis:names:TC:SAML:2.0:nameid-format:unspecified or
> urn:oasis:names:TC:SAML:2.0:nameid-format:encrypted, then if
> the identity provider returns any assertions, the Format
> value of the <NameID> within any <Assertion> MUST be
> identical to the Format value supplied in the <NameIDPolicy>.

Small clarification, I'd change that to:

"value of the <NameID> within the <Subject> of any <Assertion> MUST be..."

NameID shows up inside subject confirmation also, just wanted to be precise.

> If the Format value is set to
> urn:oasis:names:TC:SAML:2.0:nameid-format:persistent and if
> the SPNameQualifier is not omitted, then if the identity
> provider returns any assertions, the SPNameQualifier value of
> the <NameID> within any <Assertion> MUST be identical to the
> SPNameQualifier value supplied in the <NameIDPolicy>."

I don't think we need to constrain this to persistent. SPNameQualifier is currently a SHOULD NOT as far as using it with anything else because no other format defines its use, but if a new one does, that's fine.

I think it should simply be "match it" without regard to the format.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]